Port Forwarding. Unraid, Nginx, Cloudflare

Hello

I just bought a Mikrotik RB960PGS hEX. So i am new to Mikrotik and RouterOS.

I got my Teamspeak Docker and Plex docker ports set up correctly.
However i cant seem to get the ports for the SWAG (secure web application gateway) docker from Linuxserverio to work as intended.

I had this set up earlier through my old router. But i have not got it working yet on the new router.
The docker is basically Nginx, letsencrypt and fail2ban. So it allows me to access my nextcloud and bitwarden dockers from outside my network.

I have changed the default ports of SWAG to use port 180 and port 1443 rather than 80 and 443. The config files are the same from before i changed router.
Everything is still on the same IP-Range and using the ip adresses.

When i start the docker it fails and gives me an error message saying it is probalby due to portforwarding not being set up correctly.

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

I can’t connect to my teamspeak server using the url teamspeak.sundur.no anymore either. So i have a suspicion that it is related to NAT reflection / Hairpin not being set up correctly.
The issue might also be caused by me using cloudflare to proxy my ip adress.

After reading on the mikrotik forum, unraid forum and some youtube videos i have yet to find a solution to this. Maybe someone on the Mikrotik forums can shed som light on the issue.

This is currently how it is set up in cloudflare.

The filter rule i have set up is:

add action=accept chain=forward comment="Accept all that is DST NATed" \
    connection-nat-state=dstnat connection-state=new

The NAT rules i have set up are:

add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.86.0/24 src-address=192.168.86.0/24

add action=dst-nat chain=dstnat comment="Unraid SWAG 80" dst-address-list=\
    cloud-ip dst-port=80 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.86.5 to-ports=180

add action=dst-nat chain=dstnat comment="Unraid SWAG 443" dst-address-list=\
    cloud-ip dst-port=443 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.86.5 to-ports=1443

“dst-adress-list=\ cloud-ip” is my cloudflare proxied ip.

I added this following a youtube guide for NAT hairpin: https://youtu.be/_kw_bQyX-3U

Complete router export:

#
# feb/21/2021 20:11:40 by RouterOS 6.45.9
# software id = E7KF-VIDH
#
# model = RB960PGS
# serial number = D52F0D38B6CA
/interface bridge
add admin-mac=08:55:31:7C:56:F5 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.86.50-192.168.86.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.86.1/24 comment=defconf interface=ether2 network=\
    192.168.86.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.86.0/24 comment=defconf gateway=192.168.86.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.86.1 comment=defconf name=router.lan
/ip firewall address-list
add address=cloud.sundur.no list=cloud-ip
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="Accept all that is DST NATed" \
    connection-nat-state=dstnat connection-state=new
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.86.0/24 src-address=192.168.86.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Unraid Teamspeak" dst-port=9987 \
    in-interface=ether1 protocol=udp to-addresses=192.168.86.5 to-ports
add action=dst-nat chain=dstnat comment="Unraid Plex" dst-port=32400 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.86.5 to-ports
add action=dst-nat chain=dstnat comment="Unraid SWAG 80" dst-address-li
    cloud-ip dst-port=80 in-interface=ether1 protocol=tcp to-addresses=
    192.168.86.5 to-ports=180
add action=dst-nat chain=dstnat comment="Unraid SWAG 443" dst-address-l
    cloud-ip dst-port=443 in-interface=ether1 protocol=tcp to-addresses
    192.168.86.5 to-ports=1443
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8080
set ssh disabled=yes
set www-ssl port=8443
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Oslo
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I actually found the solution to my issue.
In fact i had the router configured correctly with these NAT rules for the unraid SWAG docker:

add action=dst-nat chain=dstnat comment="Unraid SWAG 80" dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.86.5 to-ports=180
add action=dst-nat chain=dstnat comment="Unraid SWAG 443" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.86.5 to-ports=1443

The issue was actually related to the SSL certificates.
The docker does not start unless they are found / created. (The docker uses letsencrypt to do the SSL challenge on your website)

The docker tried checking the SSL certificates i had earlier. However i reinstalled this docker and removed previous files. So the error i was getting was because the docker could not find the certificates.
So i had to change the SSL setting on cloudflares website and run the docker one time with the following setting to flexible. Then the certificates got created and i could change back to Full. After this the docker starts as usual.